On Thu, 18 Sep 2008, Philipp Kempgen wrote:
> Gordon Henderson schrieb:
>
>> If the web server is running php, then this will work:
>>
>> <?
>>
>> $action = $HTTP_GET_VARS["action"] ;
>> $file = $HTTP_GET_VARS["file"] ;
>> $caller = $HTTP_GET_VARS["caller"] ;
>>
>> if (empty ($action) || empty ($file))
>> die ("Something went wrong") ;
>>
>> // Open the file
>>
>> $fileName = "/prefix/" . $file ;
>> $fd = @fopen ($fileName, "rb") ;
>
> Without any validation of the filename?
> It could be "../../secret/file".
Left as an excercise to the user. That's not what I use 'for real', I just
hacked out the relevant bits.
Gordon
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
AstriCon 2008 - September 22 - 25 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
